I am a Linux beginner, on a steep learning curve. I wanted to ask the community here to help me secure and harden my Sheeva Plug. It is currently running the Ubuntu included in the SheevaPlugInstaller (4GB MMC-based setup). My goal is to have the Plug as a static web server server for periodically changing content like weather graphs and web cam snapshots. The Plug server will be connected to the DMZ port on my firewall.

It would also be nice if the Plug could automatically keep itself updated with the latest patches (especially security) and report periodically its state, including state of connectivity and running services). This may sound like a job for the MONIT framework?

The planned steps are listed below. This is just a general plan, please contribute with links and replies to each point or add additional points.

The Ubuntu as supplied does have any insecure services exposed, which is good, but check with netstat -a of course.

I've added some iptables stuff for an extra layer.

I would *not* do an unsupervised 'auto update' applications for security reasons; just do an apt-get update from time to time. And basically Apache2 is pretty robust and if you stick to core modules there's probably not much bad left to be found in there...

Reedy, re "FTP is unsecure, dont even bother with it" - the Plug's environment is controlled by external firewall, so FTP is only open to local (LAN) clients. External clients are allowed only on http protocol, terminated by the http service. So I think there is not much insecurity introduced by ftp itself...